Secure method for performing a modular exponentiation operation

ABSTRACT

The invention concerns a secure method for performing an exponentiation operation which consists in carrying out an operation of type U=V{circumflex over ( )}W modulo X. U, V, X are integers, W is an integer used in the form of a number W* masked by a fractional masking parameter randomly selected at each execution of the method. The invention is applicable to smart cards.

[0001] The present invention concerns a secure method for performing an exponentiation operation, with application in particular in the field of cryptography. The invention applies in particular to cryptographic algorithms implemented in electronic devices such as smart cards.

[0002] Many cryptographic algorithms are based on exponentiation calculations of the type U=V{circumflex over ( )}W modulo X, where U, V and X are integer numbers most often large in size, and W is a predetermined number. The numbers U, V can correspond for example to an encrypted text or one to be encrypted, a signed data item or one to be signed, a verified data item or one to be verified, etc. The numbers W and X can correspond to elements of keys, either private or public, used for encryption or decryption of the numbers U, V.

[0003] One of these algorithms is the RSA (Rivest, Shamir and Adleman) algorithm, which makes it possible to obtain a signature or a decrypted message s using a private key comprising three integer numbers d, p and q, p and q being large prime numbers, the product of which is equal to N. In a typical example, d and N have 1024 bits, and p and q have 512 bits.

[0004] Many works present the RSA algorithm in detail; it is however necessary to repeat here the basic principles of this algorithm, which makes it possible to calculate the signature s:

s=m{circumflex over ( )}d mod(p.q)=m{circumflex over ( )}d mod(N)

[0005] The RSA algorithm can be implemented using the Chinese Remainder Theorem. Through the application of this theorem, the signature s is obtained by:

s=m{circumflex over ( )}d mod(N)=CRT(s _(p) , s _(q))

[0006] The function CRT(s_(p), s_(q)) is commonly referred to as the recombination formula according to the Chinese Remainder Theorem. The CRT function is calculated for example as follows:

CRT(s _(p) , s _(q))=s _(p) +p×Y,

with:

Y=i _(p)(s _(q) −s _(p)) mod(q)

d _(p) =d mod(p−1), s _(p) =m{circumflex over ( )}d _(p) mod(p)

d _(q) =d mod(q−1), s _(q) =m{circumflex over ( )}d _(q) mod(q)

i _(p)=(1/p) mod(q)

[0007] The same algorithm makes it possible to verify the validity of the signature s of a message m by verifying that the equation:

m=s{circumflex over ( )}e mod(N)

[0008] is satisfied.

[0009] The numbers e and N form the public key associated with the private key (d, p, q); the numbers e and N verify the equations:

N=p×q

pgcd(e, Φ(N))=1

e×d=1 mod(Φ(N)),

[0010] Φ(N) being Euler's totient function defined by Φ(N)=(p−1)(q−1).

[0011] It should be noted that all the elements d, p, q of a private key and all the elements e, N of an associated public key are odd. This is because, p and q being large prime numbers, they are necessarily odd. Φ(N)=(p−1)(q−1) is therefore even and N=p×q is odd. As e and Φ(N) are mutually prime, e is odd. As e×d=1 mod(Φ(N)), e×d is odd, and therefore d is also odd.

[0012] Other algorithms, cryptographic or not, also use exponentiation operations of the type U=V{circumflex over ( )}W modulo X, possibly implemented by the Chinese Remainder Theorem, for example the Rabin-Williams cryptosystem or else the Diffie-Hellman key exchange modulo a composite number.

[0013] A malicious user can possibly institute covert channel attacks, aiming to discover in particular confidential information (like for example the numbers d or p) contained and manipulated in processing performed by the calculation device executing an exponentiation operation. The best-known covert channel attacks are referred to as simple or differential. Simple or differential covert channel attack means an attack based on a physical quantity measurable from outside the device, and whose direct analysis (simple attack) or analysis according to a statistical method (differential attack) makes it possible to discover information contained and manipulated in processing carried out in the device. These attacks can thus make it possible to discover confidential information. These attacks have in particular been disclosed by Paul Kocher (Advances in Cryptology—CRYPTO'99, vol. 1666 of Lecture Notes in Computer Science, pp. 388-397. Springer-Verlag, 1999).

[0014] Amongst the physical quantities that can be exploited for these purposes, there can be cited the execution time, the current consumption, the electromagnetic field radiated by the part of the component used for executing the calculation, etc. These attacks are based on the fact that, during the execution of an algorithm, the manipulation of a bit, that is to say its processing by a particular instruction, leaves a particular print on the physical quantity under consideration, according to the value of this bit and/or according to the instruction.

[0015] The aforementioned exponentiation algorithms have had to include countermeasures for preventing such attacks from succeeding.

[0016] Paul Kocher proposed in particular, in the document WO 99/35782, a procedure which consists in particular of masking the derived variables d_(p), d_(q) of the number d by the addition of a random integer number. More precisely, the variables d_(p), d_(q) are not used directly in the algorithm, but are used in the form of masked numbers d_(i)*=d_(i)+r_(i)×(p−1), with i equal to p or q, and r_(i) (r_(p) or rq) random integer numbers, modified at each implementation of the algorithm. In one example disclosed in the document WO 99/35782, this procedure is used within the context of an RSA algorithm implemented according to the Chinese Remainder Theorem. The algorithm then breaks down as follows:

[0017] First of all s_(p)* and s_(q)* are calculated:

s _(p) *=[m{circumflex over ( )}d _(p)*] mod(p)=[m{circumflex over ( )}(d _(p) +r _(p)×(p−1))] mod(p)

s _(q) *=[m{circumflex over ( )}d _(q)*] mod(q)=[m{circumflex over ( )}(d _(q) +r _(q)×(p−1))] mod(q)

[0018] Next the number s is calculated by means of the recombination formula:

s=s*=CRT(s _(p) *, s _(q)*)

[0019] The equality s=s* is deduced from the definition of d_(p), d_(q), d_(p)*, d_(q)* and Fermat's theorem, according to which A{circumflex over ( )}(B−1)=1 mod(B) when B is a prime integer number and A is relatively prime with B. In the present case, the following is deduced from Fermat's theorem: $\begin{matrix} {{m\hat{}d_{p}^{*}} = {m\hat{}\left( {d_{p} + {r_{p} \times \left( {p - 1} \right)}} \right)}} \\ {= {{m\hat{}d_{p}} \times {m\hat{}\left( {r_{p} \times \left( {p - 1} \right)} \right)}}} \\ {= {{m\hat{}d_{p}} \times {{1\left\lbrack {{mod}(p)} \right\rbrack}.}}} \end{matrix}$

[0020] Since m{circumflex over ( )}d_(p)*=[m{circumflex over ( )}d_(p)] [mod(p)], this gives s_(p)=s_(p)*. A similar reasoning makes it possible to deduce s_(q)=s_(q)*. Finally, as s_(p)=s_(p)* and s_(q)=s_(q)*, s=s*.

[0021] The procedure disclosed in the document WO 99/35782 is in particular effective for countering differential covert channel attacks. It also complicates simple attacks.

[0022] However, this procedure is not effective against a particular attack detailed below (which, for the sake of simplification, will subsequently be referred to as a CRT attack) within the context of an example relating to the RSA algorithm. More generally, the CRT attack can be envisaged for any algorithm implemented by means of the Chinese Remainder Theorem.

[0023] In the example of an RSA algorithm implemented by means of the Chinese Remainder Theorem, the CRT attack makes it possible to obtain the number p of the private key. It has been seen previously that the recombination formula making it possible to calculate s is written:

s=CRT(s _(p) , s _(q))=s _(p) +p×Y,

with

Y=i _(p)×(s _(q) −s _(p)) mod(q)

[0024] If p, q have a bits (for example 512 bits), then i_(p), s_(p), s_(q) have a bits, and so has Y. The product p×Y and the number s therefore have 2a bits. As s_(p) has a bits, it is deduced therefrom that the a most significant bits of s are equal to the a most significant bits of the product p×Y.

[0025] Furthermore, the Hamming weight H(Y) of the number Y can be obtained by a simple covert channel attack during the calculation of Y. It should be noted that the Hamming weight of the number Y is the number of bits at “1” in the number Y.

[0026] Knowing the most significant bits of the product p×Y and the Hamming weight of the number Y, it is possible to find the number p by successive iterations as follows:

[0027] an assumption is made on the value of b (for example b=8) most significant bits of p and the corresponding b most significant bits of Y are determined from the most significant bits of the product p×Y, which are given by the value of s. The probability that the assumption on the b most significant bits of p is correct is then calculated from the Hamming weight of Y, measured by a covert channel;

[0028] a reiteration is performed for each possible value of the b most significant bits of p and finally the most probable assumption for these b bits is adopted;

[0029] a reiteration is then performed for each packet of b bits of p, until a sufficient number of bits of p is obtained.

[0030] The procedure disclosed in the document WO 99/35782 is not effective against this CRT attack. This is because, in the document WO 99/35782, the recombination formula used is written:

s=CRT (s _(p) *, s _(q)*)=s _(p) *+p×Y*,

[0031] with s, p×Y* having a size of 2a bits and s_(p)* having a size of a bits.

[0032] It is therefore possible, by means of a CRT attack as just described, to determine the number p from the known number s, the product p×Y* and the Hamming weight of (Y*).

[0033] In view of the limitations of the procedure disclosed in the document WO 99/35782, one object of the invention is to propose a secure method for performing an exponentiation operation, protected against all attacks, including the CRT attacks as described above.

[0034] Another object of the invention is to propose a secure method for performing an exponentiation operation, at least as efficient as the method disclosed in the document WO 99/35782, in particular in terms of circuit size and calculation time.

[0035] Finally, another object of the invention is to implement a secure method for calculating an exponentiation operation, capable of being incorporated into any calculation method during which a calculation of the type U=V{circumflex over ( )}W modulo X has to be performed.

[0036] With these objectives in view, the object of the invention is a secure method for performing an exponentiation operation during which an operation of the type U=V{circumflex over ( )}W modulo X is performed, U, V, X being integer numbers, W being an integer number used in the form of a number W* masked by a masking parameter chosen randomly at each execution of the method.

[0037] According to the invention, the masking parameter is a fractional number.

[0038] The numbers W, X are in practice numbers that must be kept concealed, like elements of a private key, and/or numbers derived from such a key. For example, if the method according to the invention is used within the context of an RSA algorithm implemented according to the Chinese Remainder Theorem, the number W can be the variables d_(p), d_(q) used in a customary manner. The size of the numbers W, X is immaterial; it is for example 1024 bits.

[0039] The use of a fractional random masking parameter, instead of an integer random masking parameter, makes it impossible to obtain information on the number W by means of a covert channel attack or a CRT attack, as will be seen more clearly below in some examples.

[0040] According to preferred embodiments, the masking parameter is of the form R/K. R is a random integer number modified at each execution of the method. The size of the number R determines the security of the algorithm with respect to the so-called differential attacks; R can be chosen for example with a size of 32 bits. K is an integer number that is a divisor of the number Φ(X), Φ being Euler's totient function. K can be chosen constant or else can be modified at each execution of the method. The size of K is immaterial; it is for example close to the size of the number R.

[0041] Advantageously, the masked number W* is of the form W*={overscore (W)}+{overscore (R)}. {overscore (W)} is the default part of the result of the division of W by K, and {overscore (R)} is equal to the product of the masking parameter (R/K) and the number Φ(X).

[0042] The result U can then be expressed as a function of (U*){circumflex over ( )}K modulo X, with U*=V{circumflex over ( )}W* modulo X.

[0043] More precisely, the result U is equal to U=(U*){circumflex over ( )}K×V{circumflex over ( )}Z modulo X, with U*=V{circumflex over ( )}W* modulo X. Z is the remainder from the integer division of W by K.

[0044] The method of the invention, as described above, can be used advantageously in a global cryptographic method.

[0045] In an example that will be described more precisely, the cryptographic method is of RSA type, and is implemented according to the Chinese Remainder Theorem. In this case, the invention is used in particular for masking a possibly derived key (for example the derived keys d_(p), d_(q)) by a masking parameter chosen randomly at each execution of the method, the masking parameter being a fractional number.

[0046] Another object of the invention is an electronic component comprising a calculation circuit for implementing a method according to the invention, for example, but not necessarily, within the context of a cryptographic algorithm.

[0047] Finally, another object of the invention is a smart card comprising said electronic component.

[0048] The invention and the advantages ensuing therefrom will emerge more clearly from a reading of the following description of a particular embodiment of the invention, given purely for information only and with reference to the single accompanying figure. This is an electronic device making it possible to implement the invention.

[0049] The single figure depicts in block diagram form an electronic device 1 capable of performing exponentiation calculations. In the example, this device is a smart card intended to execute a cryptographic program. To that end, the device 1 combines, in a chip, programmed calculation means consisting of a central unit 2 connected functionally to a set of memories including:

[0050] a memory 4 accessible for reading only, in the example of the mask ROM (mask read-only memory) type;

[0051] an electrically reprogrammable memory 6, in the example of the EEPROM (electrically erasable programmable ROM) type; and

[0052] a working memory 8 accessible for reading and writing, in the example of the RAM (random access memory) type. This memory comprises in particular the registers used by the device 1.

[0053] The executable code corresponding to the exponentiation algorithm is contained in program memory. This code can in practice be contained in the memory 4, accessible for reading only, and/or in the memory 6, which is rewritable.

[0054] The central unit 2 is connected to a communication interface 10 which provides the exchange of signals with regard to the outside and the powering of the chip. This interface can comprise pads on the card for a so-called “contact-based” connection with a reader, and/or an antenna in the case of a so-called “contactless” card.

[0055] One of the functions of the device 1 is to encrypt or decrypt a confidential message m respectively transmitted to, or received from, the outside. This message can concern for example personal codes, medical information, accounting on banking or commercial transactions, authorisations for access to certain restricted services, etc. Another function is to calculate or verify a digital signature.

[0056] To that end, the central unit 2 executes a cryptographic algorithm, using an exponentiation calculation, on programming data which are stored in the mask ROM 4 and/or EEPROM 6 parts.

[0057] In the example described here, the exponentiation algorithm is of RSA type, implemented by the use of the Chinese Remainder Theorem. The algorithm is used for signing a message m using a private key comprising three integer numbers d, p and q. In the example, d has 1024 bits, and p and q have 512 bits.

[0058] In the example, an exponentiation calculation s=m{circumflex over ( )}d mod(p.q) is performed, where m is a predetermined message and d, p, q are integer numbers which are elements of the private key. The number s obtained constitutes a signature of the message m.

[0059] The numbers d, p, q (elements of the key) are stored in a portion of the rewritable memory 6, of EEPROM type in the example.

[0060] When the exponentiation calculation device 1 is called upon for the exponentiation calculation, the central unit first of all stores the number m, transmitted by the communication interface 10, in working memory 8, in a calculation register. The central unit will next read the keys d, p, q contained in rewritable memory 6, in order to store them temporarily, for the time of the exponentiation calculation, in a calculation register in the working memory 8. The central unit then initiates the exponentiation algorithm.

[0061] According to the invention, the derived keys d_(p), d_(q) of the key d are masked by a random fractional number as follows.

[0062] The central unit first of all chooses a number k_(p) which is a divisor of p−1, and a number k_(q) which is a divisor of q−1, with p, q being elements of the key; k_(p), k_(q) are stored in another calculation register in the working memory 8. According to the embodiment chosen, k_(p) can be modified at each implementation of the algorithm or else can be kept constant. The size of k_(p) is immaterial, but necessarily less than the size of p−1.

[0063] The central unit also chooses two random numbers r_(p), r_(q) and stores them in two other calculation registers in the working memory. r_(p), r_(q) are preferably modified at each implementation of the algorithm. The size of the numbers r_(p), r_(q) is generally a compromise between, on the one hand, the size of the memory 8 in which they are stored and the calculation times (which increase with the size of the numbers r_(p), r_(q)) and, on the other hand, the security of the algorithm (which also increases with the size of the numbers r_(p), r_(q)).

[0064] The central unit next calculates the following variables d_(p)*, a_(p), d_(q)*, a_(q):

d _(p) *={overscore (d)} _(p) +{overscore (r)} _(p),  (Formula 1)

a _(p) =d _(p) mod k _(p)  (Formula 2)

[0065] with {overscore (d)}_(p)=└d_(p)/k_(p)┘ and {overscore (r)}_(p)=r_(p)×(p−1)/k_(p)

d _(q) *={overscore (d)} _(q) +{overscore (r)} _(q),  (Formula 3)

a_(q)=d_(q) mod k_(q)  (Formula 4)

[0066] with {overscore (d)}_(q)=└d_(q)/k_(q)┘ and {overscore (r)}_(q)=r_(q)×(q−1)/k_(q)

[0067] {overscore (d)}_(p), a_(p) are respectively the result and the remainder from the integer division of d_(p) by k_(p).

[0068] {overscore (d)}_(q), aq are respectively the result and the remainder from the integer division of d_(q) by k_(q).

[0069] The central unit stores the variables d_(p)*, a_(p), d_(q)*, a_(q) in registers in the working memory. Subsequently, the intermediate variables obtained throughout the calculation will also be stored in a portion of the working memory 8.

[0070] The central unit next calculates the variables:

s _(p) *=m{circumflex over ( )}d _(p)* mod p

s _(q) *=m{circumflex over ( )}d _(q)* mod q

[0071] and then the signature s using the variables s_(p)*, a_(p), k_(p), s_(q)*, a_(q), k_(q). For this, the central unit uses the fact that:

s _(p)=[(m{circumflex over ( )}d _(p)*){circumflex over ( )}k _(p) ×m{circumflex over ( )}a _(p)] mod(p),  (Formula 5)

s _(q)=[(m{circumflex over ( )}d _(q)*){circumflex over ( )}k _(q) ×m{circumflex over ( )}a _(q)] mod(q),  (Formula 6)

s=CRT(s _(p) , s _(q))  (Formula 7)

[0072] It should be noted that the above expressions of s_(p), s_(q) are deduced from the fact that {overscore (d)}_(p), {overscore (d)}_(q) and a_(p), a_(q) are defined so that d_(p)={overscore (d)}_(p)×k_(p)+a_(p) and d_(p)={overscore (d)}_(p)×k_(p)+a_(p), which makes it possible to write: $\begin{matrix} \begin{matrix} {s_{p} = {\left\lbrack {m\hat{}d_{p}} \right\rbrack \quad {{mod}(p)}}} \\ {= {{\left( {m\hat{}{\overset{\_}{d}}_{p}} \right)\hat{}k_{p}} \times {m\hat{}a_{p}}\quad {{mod}(p)}}} \\ {= {{m\hat{}\left( {{\overset{\_}{d}}_{p} \times k_{p}} \right)} \times {m\hat{}a_{p}}\quad {{mod}(p)}}} \\ {= {{m\hat{}\left( {{\overset{\_}{d}}_{p} \times k_{p}} \right)} \times {m\hat{}\left( {r_{p} \times \left( {p - 1} \right)} \right)} \times}} \\ {{{m\hat{}a_{p}}\quad {{mod}(p)}}} \\ {= {{m\hat{}\left\lbrack {\left( {{\overset{\_}{d}}_{p} + {\overset{\_}{r}}_{p}} \right) \times k_{p}} \right\rbrack} \times {m\hat{}a_{p}}\quad {{mod}(p)}}} \\ {= {{\left( {m\hat{}d_{p}^{*}} \right)\hat{}k_{p}} \times {m\hat{}a_{p}}\quad {{mod}(p)}}} \\ {= {{\left( s_{p}^{*} \right)\hat{}k_{p}} \times {m\hat{}a_{p}}\quad {{{mod}(p)}.}}} \end{matrix} & \left( {{{Fermat}'}s\quad {theorem}} \right) \end{matrix}$

[0073] The demonstration of the correctness of the expression for s_(q) is of course similar.

[0074] In a practical example implementation where k_(p)=k_(q) and a_(p)=a_(q), the equalities 5 and 6 make it possible to simplify the equality 7 in the form: $\begin{matrix} \begin{matrix} {s = {{{CRT}\left( {s_{p},s_{q}} \right)} = {\left\{ {{\left\lbrack {{CRT}\left( {s_{p}^{*},s_{q}^{*}} \right)} \right\rbrack\hat{}k_{p}} \times {m\hat{}a_{p}}} \right\} \quad {{mod}N}}}} \\ {= {\left\{ {{\left( {s_{p}^{*} + {p \times Y^{*}}} \right)\hat{}k_{p}} \times {m\hat{}a_{p}}} \right\} \quad {{mod}N}}} \\ {= {\left\{ {{\left\lbrack {{CRT}\left( {s_{p}^{*},s_{q}^{*}} \right)} \right\rbrack\hat{}k_{p}} \times {m\hat{}a_{p}}} \right\} \quad {{mod}N}}} \end{matrix} & \left( {{Formula}\quad 7^{\prime}} \right) \end{matrix}$

[0075] In a numerical example, k_(p)=k_(q)=2 is chosen. In this case, a_(p)=a_(q)=1 since all the elements of a secret key and of an associated public key are odd (see above). This is because, d, p and q being odd numbers, the numbers d_(p)=d mod(p−1) and d_(q)=q mod(q−1) are also odd. Consequently, a_(p), the remainder from the division of d_(p) by k_(p)=2, is necessarily equal to 1. For the same reasons, a_(q), the remainder from the division of d_(q) by k_(q)=2, is of course equal to 1.

[0076] The equality 7 is insensitive to differential and simple covert channel attacks. This is because the random terms in the numbers s_(p)*, s_(q)* mask the data d_(p), d_(q), just as in the document WO 99/35782.

[0077] Furthermore, the equality 7 is insensitive to CRT attacks. This appears more clearly in the simplified formula 7′. The sum s_(p)*+p×Y*, essential for successfully concluding a CRT attack, does not appear directly in the equation 7′; it appears only to the power k_(p). However, it is surmised to be impossible to extract from s a k_(p) ^(th) root without knowing the modulus N. It is therefore not possible to calculate s_(p)*+p×Y*; it is therefore not possible to obtain the bits of p by means of a CRT attack.

[0078] An algorithm according to the invention is therefore well protected against all these attacks. 

1. A secure method for performing an exponentiation operation during which an operation of the type U=V{circumflex over ( )}W modulo X is performed, U, V, X being integer numbers, W being an integer number used in the form of a number W* masked by a masking parameter chosen randomly at each execution of the method, characterised in that the masking parameter is a fractional number.
 2. A method according to claim 1, characterised in that the masking parameter is of the form R/K, where R is a random integer number and where K is an integer number that is a divisor of the number Φ(X), Φ being Euler's totient function.
 3. A method according to claim 2, characterised in that the number K and/or the number R are modified at each execution of the method.
 4. A method according to claim 2 or claim 3, characterised in that the masked number W* is of the form W*={overscore (W)}+{overscore (R)}, {overscore (W)} being the default part of the result of the division of W by K, and {overscore (R)} being equal to the product of the masking parameter R/K and the number Φ(X).
 5. A method according to one of claims 2 to 4, characterised in that the result U is a function of (U*){circumflex over ( )}K modulo X, with U*=V{circumflex over ( )}W* modulo X.
 6. Use of a secure method according to one of claims 1 to 5 in a cryptographic method.
 7. Use of a secure method according to one of claims 1 to 5 in a cryptographic method implemented according to the Chinese Remainder Theorem, for masking a possibly derived key by a masking parameter chosen randomly at each execution of the method, the masking parameter being a fractional number.
 8. Use of a secure method according to claim 7, characterised in that the cryptographic method is an RSA type method.
 9. An electronic component comprising a calculation circuit for implementing a method according to one of claims 1 to
 5. 10. An electronic component comprising means for implementing a cryptographic method using a method according to one of claims 1 to
 6. 11. A smart card comprising an electronic component according to claim 9 or claim
 10. 